High value information technology (IT) assets, such as endpoints, servers, and devices, are under continual attack by well-resources adversaries that can leverage component product and software defects in order to gain control of the assets. The impact of a significant compromise may be catastrophic. Compromise can be due to software bugs, configuration errors, or design flaws—all of which involve low-level technical details and are difficult to ascribe to high-level system services and mission needs. As adversaries probe complex systems, their activities will inevitably be visible in event logs, intrusion detection systems (IDS), and security information and event management (SIEM) facilities.
Existing intrusion detection, logging, and security information and event management (SIEM) systems may provide security personnel with a deluge of information. However, much of the information may be either false alarms or activities with minimal impact. Continuous monitoring of an asset's typical behavior including running processes, communications, memory use, and storage may reveal useful anomalous events. However, false positive may be high, and human specialists may still spend considerable time sorting through events to determine the highest value investigations to pursue. It is difficult to see the critical alerts among the unimportant or false ones. Without a considerable reduction in false positives, there is little hope in providing sufficiently automated resolutions. False alarms drain resources and contribute to cognitive overload among analysts, whose time is limited and expensive.
In addition, large numbers of network probes threaten to drown out significant events that require analyst attention and immediate response. Due to lack of automated responses, accurate sensors and personnel, the time required to recognize, diagnose, and act upon events in the commercial sector is in the range of days and hours.
Host-based and network-based intrusion detection systems (IDS) may identify unauthorized, illicit, and anomalous behavior based on agents placed on hosts or upon network traffic. Logs from hosts, servers, firewalls and other devices may also provide an indication of unapproved and irregular activities within the network and on individual devices. Security information and event management technology has been developed and adopted by sectors in the commercial world that supports threat detection through real-time collection and analysis of security events from a wide variety of sensors and events.
Improvements in IDS and SIEM technology may gradually reduce false alarm rates, but these systems cannot take overall mission needs and priorities into account. What is needed is a system/mission model that maps high-level concerns to potential low-level vulnerabilities, compromises, or indications of suspicious activity. For enterprise-scale systems, such models can become very complex; a machine-readable model is needed that can perform automated calculations of various metrics (impact, potential for loss of life, remediation cost, etc.). Such a model is also requisite for any type of automated response: it is only by assessing larger impacts that an automated system can make necessary changes without disrupting essential services.
A driver for operating cost effective and secure operation environments may be availability of subject matter experts to monitor highly protected assets. Their labor hours may be a limited resource and the ability to focus their expertise on the highest value defense activities is an important way to most effectively leverage their resources. Therefore, there is a need for tools and means of ranking and prioritizing attack indicators so that their time may be more efficiently spent on the most important threats. Such tools and means may also lead to eventual automation of monitor and response capabilities, and help reduce time for most serious events down to hours/minutes.